Prevalence Report

Threat Landscape Report - November 2009 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period October 21st - November 20th, 2009.

Exploits and Intrusion Prevention

Top 10 Exploitations & Regions

Top 10 exploitation attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of all cases reported this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Figure 1a below shows the Top 5 regions attacked in comparison to total attack cases reported this period. Critical issues are outlined in bold.

Rank	Vulnerability	Percentage	Severity
1	MS.DCERPC.NETAPI32.Buffer.Overflow	31.9	Critical
2	MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption/td>	22.6	Critical
3	Adobe.Products.SWF.Remote.Code.Execution	12.9	Critical
4	FTP.USER.Command.Overflow	9.8	High
5	Apache.Expect.Header.XSS	7.8	Medium
6	AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation	7.8	High
7	MS.Content.Management.Server.Code.Execution	6.4	Critical
8	MS.DirectX.MsVidCtl.ActiveX.Control.Access	6.1	Critical
9	RoundCube.Webmail.Pregreplace.Code.Execution	5.9	High
10	FTP.Command.REST.Overflow	3.2	High

Figure 1a: Top 5 regions by number of attack cases

New Vulnerability Coverage

There were a total of 115 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 35 were reported to be actively exploited (30.4%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/Cutwail.K!tr	19.8	new
2	W32/Cutwail.C!tr.dldr	13.7	new
3	W32/Agent.C659!tr.dldr	9.0	new
4	W32/PackAgent!tr	8.3	new
5	W32/Zbot!tr	7.2	+10
6	W32/FraudLoad.DFN!tr	6.4	new
7	W32/FakeAlert.SYY!tr.dldr	6.3	-2
8	W32/Zbot.P!tr	3.3	new
9	W32/Inject.SAFETYCENTER!tr.dldr	3.0	new
10	W32/Sasfis.TUB!tr	2.6	new

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for distinct malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Threat Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

Web Threat Category	Percentage
Pornography	60.2
Malware	32.4
Spyware	5.3
Phishing	2.2

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

Malware continued to be distributed in peak volume this period, building off a charge that began in September 2009. Last report, Bredolab and Scareware were the main occupants in our malware top 10 listing -- and were setting records in terms of daily detected volume. Now, a battle of the bots has ensued with Pushdo / Cutwail firmly taking the reigns. In latest developments, we observed a Pushdo variant attempting to remove "grpconv.exe" - a binary associated with Bredolab. Malicious code has been discovered in the past to remove other threats (Netsky vs. MyDoom, Storm vs. Stration). The Pushdo botnet is known to download the Cutwail trojan, among other components. Two variants of the Cutwail trojan accounted for over 30% of total malware activity this report, ranked #1 and #2 in our top ten listings. Looking at Figure 2, we can see that Cutwail did this in tremendous volume, smashing the daily records set by Bredolab & Scareware last report (nearly double). This activity was a large contributor to the sharp rise in total volume we have observed in Figure 3b.

The Cutwail seeding campaigns were largely observed during the first week of November, which used simple social engineering tactics: emails using the subject "Hello Darling," with Cutwail attached as "photos.zip." Other campaigns included UPS/DHL invoices, similar to Bredolab. Once installed, Cutwail will mass mail new spam templates it has received. In November, we observed templates advertising pirated software for sale, typically between $60 and $230 USD. Cutwail is also known to frequently send pharmacy spam such as Canadian Pharmacy, highly profitable just like Scareware due to affiliate programs with high payouts.

ZBot and Scareware remained highly active next to Pushdo / Cutwail. Figures 5a and 5b show ZBot spam campaigns taking different approaches. The first shows a two-stage attack which first phishes for Facebook credentials, then attempts to install the malicious ZBot binary. The second is targeting Verizon Wireless customers, attempting to get recipients to install a "tool" which is in fact ZBot. Figure 5c shows one of at least three distinct spam campaigns used to seed a new trojan downloader (also known as "Loaders") - Sasfis. Sasfis detection was very high this period, with variants landing in our malware top 10, ranked #3 and #10. The two other spam campaigns we observed with Sasfis this report used the subjects 'Mailbox has been deactivated' and 'Facebook updated account agreement' - both with ".zip" attachments containing the trojan. This loader reports to its controller through HTTP by posting information such as a unique bot identifier (similar to Bredolab), and will then await instruction to download updates and further malicious components. We continue to monitor this prevalent threat.

In terms of reported attack cases, Adobe.Products.SWF.Remote.Code.Execution moved into third place this month while MS08-067, notoriously exploited by Conficker, remained in first. Flash and actionscript are constantly targeted to exploit systems, with technologies being leveraged such as Flash run-time packers. New developments this period include an out-of-band patch for Adobe Shockwave (APSB09-16), a zero-day vulnerability with Internet Explorer (CVE-2009-3762), a Windows 7 DoS, and a new worm targeting jailbroken iPhones. November has been very active for iPhones with 4 new attacks exploiting a misconfiguration of OpenSSH on jailbroken devices: malware targeting Dutch iPhones for ransom ($7 USD), a tool stealing SMS and contacts (HackerTool/iPhoneStealer), a worm changing the background image and another one trying to steal banking credentials (iPhoneOS/Eeki). These are all areas in which threats will likely continue to develop, so be safe out there - keep all software up to date, and employ a valid intrusion prevention system to guard against vulnerabilities and zero-days. FortiGuard Labs continues to monitor threats to provide up-to-date detection, while actively discovering zero-day flaws to provide true zero-day protection.

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.